Dynamic Access Control developer extensibility
The Dynamic Access Control (DAC) scenario, as delivered in Windows Server 2012, has a variety of developer extensibility points that add customization potential for your applications development. Many of these extensibility points are outlined in this topic, some with additional information and others to be further developed.
- Introduction
- Managing Central Access Policies
- User claim provisioning to Active Directory
- Creating DAC compatible file classification properties
- Classification-aware applications
- Audit event analysis for compliance reporting and forensic analysis
- Integrating DAC access and audit policies into applications
- Constructing a plug-in for the File Classification Infrastructure
- Data management for file servers
- DAC How-to topics
- Additional resources
- Related topics
Introduction
The DAC developer extensibility areas are organized by types of extensibility. These are outlined in the set of tables that follow. These extensibility points, or programmatic customization points, are intended for experienced programmers.
Managing Central Access Policies
Creating Central Access Policies (CAP) for files allow organizations to centrally deploy and manage authorization policies that include conditional expressions using security groups, user claims, device claims, and resource properties. These polices are based on compliance and business regulatory requirements. These policies are created and hosted in Active Directory (AD), therefore making it easier to manage and deploy.
Some aspects of CAP management can be further configured programmatically through AD and are outlined as follows.
For more information on CAPs, see Dynamic Access Control Scenario: Central Access Policy on TechNet or Centralized Authorization Policy on MSDN.
| Scenario | Guidance |
|---|---|
| A partner that develops policy management and modeling solutions integrates with the DAC access and audit policy so that the policies can be configured through the policy management solution that the partner provides. |
How to use central access policies for DAC Active directory configuration for DAC objects: How to set up a claim type, Dynamic Access Control objects in Active Directory How to read DAC objects using LDAP |
User claim provisioning to Active Directory
In Windows Server 2012, the AD Domain Server maintains a claims dictionary in each forest and all claim types in use within the forest are defined at the AD forest level.
Custom user claims provisioning can be effected programmatically.
| Scenario | Guidance |
|---|---|
| A partner develops a product that allows organizations to manage user claims in AD so that organizations can source the claims from multiple repositories as well as delegate the assignment of specific claims and specific values for these claims. |
How to use central access policies How to set up a claim type Dynamic Access Control containers in Active Directory How to set up a resource property |
Creating DAC compatible file classification properties
By creating file classification properties on files in a manner compatible with DAC, Central Access Policies are correctly applied to files that are stored or move to a Windows Server 2012 share.
| Scenario | Guidance |
|---|---|
| Providing automatic and manual classification of files on Windows and non-Windows based machines. When those files are moved to a DAC enabled workload, the corresponding Central Access Policy is enforced. |
Accessing Classification Properties [MS-FCIADS]: File Classification Infrastructure Alternate Data Stream (ADS) File Format |
Classification-aware applications
Classification-aware applications are applications that create or consume file classification properties on files. These applications range from a Line of Business type application that classify files they create based on the value of the data, for example Impact=High, to Information Worker applications such as a data entry application that allows the user to determine the classification of the information they are creating.
| Scenario | Guidance |
|---|---|
| Users saving a picture in a paint application are asked to determine the classification of the file before they are allowed to save the file. |
Applications can read the classification information on files they are manipulating and display it so that users can view how the file is classified. They can also allow users to change the classification properties, updating them using the classification APIs. For more information see Accessing Classification Properties |
| Users are manually classifying many files on client and server. |
Bulk file classification: The classification manager interfaces (see the File Server Resource Manager (FSRM) Interfaces topic) provides clear, enumerate, get, and set capability for classification properties on files. It also provides a Classifying Files API to efficiently classify files as a bulk operation through call-backs within FCI for each individual file. For more information, see Classifying Files. |
| A Data Leakage Protection (DLP) solution sees the classification and acts on it. |
A data leakage protection solution can read classification information stored on the file then apply a policy such as alerting users that are trying to store sensitive information on a USB device or a user is sending sensitive documents through email. For more information see Accessing Classification Properties. |
| An application moving data from one repository to another can classify the data based on its knowledge of the data. |
When a line of business application moves data from a repository, such as a database, and stores it on a file server (e.g.: as an Excel spreadsheet) it can also classify the file according to the business needs (e.g.: PII=Yes, Impact=High). For more information see Accessing Classification Properties. |
Audit event analysis for compliance reporting and forensic analysis
Security auditing is not new to Windows, it has been around since Windows NT. In Windows Server 2012 and Windows 8 we have made significant improvements to auditing by:
- Reducing audit volume by introducing expression-based audit policies that help target relevant data
- Improving consumption of audit events by adding more metadata to the events which in turn can be consumed by audit analysis tools to enable users get to the most relevant events quickly
- Making it possible to test changes to CAPs directly in the production environment through Staging
Developers of audit event reporting and analysis tools can leverage these improvements to enhance their products with better audit reports that help users answer questions such as "Who access my finance information in the last three months?" or "How will this proposed change in access policy impact my users?".
| Scenario | Guidance |
|---|---|
| The developer of an audit event analysis and reporting solution wants to enhance his product with new reports that help users understand file access in their Enterprise and helps them deploy changes to the CAPs. |
How to enrich audit reporting covers these events: file access, user logon and staging |
Integrating DAC access and audit policies into applications
Integrating DAC access and audit policies into applications enables those applications to use the new authorization capabilities in Windows Server 2012 so that they can implement scenarios such as centrally managed access control that spans across the application and other data repositories or access control based on conditional expressions and user/device claims.
Constructing a plug-in for the File Classification Infrastructure
Constructing a plug-in for the File Classification Infrastructure (FCI) is enables Data Leakage Prevention (DLP) solutions to plug into the new DAC capabilities so that customers can control access, audit and encryption based on the DLP solution's analysis engine.
| Scenario | Guidance |
|---|---|
| Advanced classification used to apply access, audit, encryption, and data life-cycle management policies to information on file servers. |
Developing FCI Pipeline Modules |
Data management for file servers
Data management for file servers provides solutions to manage the vast amount of fast growing unstructured data on file servers. Using the FCI capabilities, developers can enhance their product to enable data management based on the business value (classification properties) of the files so that organizations can define data management policies across their unstructured repositories.
| Scenario | Guidance |
|---|---|
| A partner product implements data life-cycle management on file servers based on classification of the data. |
For examples see Accessing Classification Properties and Classifying Files. |
DAC How-to topics
How to configure a file management task
How to create a custom storage plug-in
How to read Dynamic Access Control objects using LDAP
How to use custom file classification
How to use central access policies for dynamic access control
Dynamic Access Control containers in Active Directory
How to set up a resource property
How to setup a central access rule
How to setup a central access policy
Additional resources
Deploy a Central Access Policy (Demonstration Steps) [TechNet]
Dynamic Access Control: Scenario Overview [TechNet]
Extensible File Classification Infrastructure
Working with File Classification
Related topics
Create a Custom File Management Task
Developing FCI Pipeline Modules